SELinux remove or leave the old SSH port label?

Florian Mertens asked:

I am following this (basic) security guide to change my Server’s SSH port to something else.

It says:

$ semanage port -a -t ssh_port_t -p tcp 2345 #Change me 

…which would add a new label on top of port 2345 to say that this is relevant for SSH, and that the SSH process can access this port.

What bugs me, is that this does NOT remove the label on the old port 22.

Is it safer to leave the old label in place, or is it safer to remove it? I don’t know if the default setting for ports are within confined or unconfined space, and I think this may matter.

Please correct me if I am wrong, but the command for removing the old port is:

# semanage port -d -p tcp 22

My answer:

There’s no significant reason to remove the port type label from port 22 (nor is relocating your ssh server to another port necessarily going to make you more secure). If you do remove the label, then sshd will not be able to bind to port 22 and listen for connections.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.